gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e42777a1d5b2f92af9d6c95b33ad835d7c9bd09
home-server/clusters/noble/bootstrap/longhorn/README.md

21 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Longhorn on noble — install notes
Helm values, namespace PSA, and (when Authentik is enabled) ForwardAuth overlays live in this directory. Install flow is covered in [`ansible/roles/noble_longhorn`](../../../../ansible/roles/noble_longhorn/) and [`talos/runbooks/longhorn.md`](../../../../talos/runbooks/longhorn.md).
## RBAC, Trivy KSV, and accepted risk
The upstream Longhorn chart ships a **`longhorn-role` ClusterRole** with broad permissions: wildcard verbs on several API groups, **list/watch on Secrets** (policy tools treat cluster-scoped secret reads as high risk), **create/patch/delete** on mutating/validating **WebhookConfiguration** objects, and **delete/deletecollection** on **Pods**. Trivys built-in Kubernetes checks (for example **AVD-KSV-0041**, **0045**, **0048**, **0114**) flag that role. **This is expected** for a storage controller that installs CRDs, runs CSI-style components, and manages workload pods; shrinking that role without upstream support is likely to **break Longhorn**.
The chart also includes a **support-bundle** flow that binds a dedicated service account to **`cluster-admin`**. Treat that as **high privilege**: limit who can create or use support-bundle workloads in **`longhorn-system`**, and disable or avoid the feature if you do not need vendor diagnostics.
### Mitigations we rely on instead of forking RBAC
| Area | What we do |
| --- | --- |
| **Pod Security Admission** | **`longhorn-system`** is labeled **privileged** in [`namespace.yaml`](./namespace.yaml) because Longhorn requires hostPath and privileged pods; other namespaces stay on stricter defaults where configured. |
| **UI access** | Longhorn UI is exposed through **Traefik** with **oauth2-proxy** ForwardAuth to **Authentik** when the Authentik role is applied (see [`values-authentik-forwardauth.yaml`](./values-authentik-forwardauth.yaml) and [`ansible/roles/noble_authentik/README.md`](../../../../ansible/roles/noble_authentik/README.md)). |
| **Network segmentation** | Cluster CNI is **Cilium**. Add **NetworkPolicy** (or Cilium **CiliumNetworkPolicy**) for **`longhorn-system`** and workloads that talk to the Longhorn API if you need tighter east-west boundaries; this repo does not ship a default deny for Longhorn. |
| **Support bundles** | Restrict **`longhorn-system`** RBAC (who can create Jobs/Pods, impersonate, or exec) and Longhorn UI/API access so only trusted operators can trigger vendor support tooling. |
**Trivy Operator:** workload scans skip **`longhorn-system`** via **`excludeNamespaces`** in [`clusters/noble/apps/trivy/values.yaml`](../../apps/trivy/values.yaml). **ClusterRole** config audits are cluster-scoped, so findings on **`longhorn-role`** can still appear; treat them as **documented vendor baseline** unless you narrow operator config (for example dropping **ClusterRole** from config-audit kinds), which affects the whole cluster, not only Longhorn.
Reference in New Issue View Git Blame Copy Permalink